Описание
oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue.
A flaw was found in oqs-provider, which is an OpenSSL 3 provider that contains post-quantum algorithms. The issue occurs from the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. As a result, malformed input could potentially cause crashes or leak information.
Отчет
This vulnerability is rated as IMPORTANT because of the flaw involves improper handling of lengths decoded with DECODE_UINT32 for hybrid keys and signatures, leading to unchecked memory reads and writes. This can cause crashes or leak sensitive information, posing a significant risk as it can be exploited remotely without any user interaction or privileges
Меры по смягчению последствий
It is recommended to update to the latest stable version to address this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | oqsprovider | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue.
EPSS
8.2 High
CVSS3